OneClik Cyberattack Campaign Targets Energy Sector Using Microsoft ClickOnce and AWS

A sophisticated cyber-espionage campaign named OneClik is actively targeting energy, oil, and gas organizations using a combination of legitimate cloud infrastructure and novel attack techniques. The campaign, attributed to an unknown but likely state-affiliated actor, leverages Microsoft's ClickOnce deployment technology to deliver custom Golang-based malware known as RunnerBeacon. The use of AWS APIs for command-and-control (C2) communications allows OneClik to operate within trusted cloud environments, making detection by traditional tools extremely difficult.

The campaign reflects broader trends in critical infrastructure cyber threats — particularly the abuse of legitimate services to “live off the land” and the use of advanced anti-analysis techniques to avoid detection. RunnerBeacon exhibits environment-aware behavior, anti-debugging checks, and is compiled in Golang to evade traditional antivirus scanning. While attribution remains inconclusive, indicators suggest a potential link to China-affiliated actors.

This episode explores how OneClik fits into the evolving threat landscape and what defenders should know:

• How Microsoft’s ClickOnce technology is abused in phishing emails for stealthy malware deployment
• The use of AWS cloud services as a trusted C2 infrastructure to bypass detection
• RunnerBeacon’s anti-debugging and sandbox-evasion mechanisms, including RAM and domain checks
• The targeting of nuclear and energy facilities as part of broader geopolitical cyber pressure
• Recent ransomware trends in the energy sector, with attacks up 80% year-over-year
• The rise of Golang malware in cyber campaigns and its impact on defensive tooling
• The critical importance of supply chain and credential monitoring in energy networks

OneClik underscores a modern cyber warfare model: sophisticated, cloud-native, and evasive. As threat actors move deeper into the supply chains and IT layers of critical infrastructure, defenders must evolve beyond perimeter controls to emphasize behavioral detection, threat attribution, and real-time intelligence. For cybersecurity leaders in energy and utilities, understanding this campaign is essential to preparing for what comes next.